Ethical Hacking Boot Camp

Our most popular course!

Skillset

What is SQL Injection?

SQL Injection is a web based attack used by hackers to steal sensitive information from organizations through web applications. It is one of the most common application layer attacks used today. This attack takes advantage of improper coding of web applications, which allows hackers to exploit the vulnerability by injecting SQL commands into the prior web application.

The underlying fact that allows for SQL Injection is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.

For example, let us consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt.

Here is a typical example:

select * from users where username='admin' and password='admin123′;

If the attacker knows the username of the application administrator is admin, he can login as admin without supplying any password.

admin'–

The query in the back-end looks like:

Select * from users where username='admin'–' and password='xxx';

Note the comment sequence (–) causes the followed query to be ignored, so query executed is equivalent to:

Select * from users where username='admin';

So password check is bypassed.

Learn Advanced SQL Injections & More

Different types of SQL Injections

There are 3 different kinds of SQL Injections possible on web applications. They are:

In-band

Out-band

Inferior

In-band:

This is also called Error-based or Union based SQL Injection or first order Injection. The application is said to be vulnerable to In-band when the communication between the attacker and the application happens through a single channel. I.e. the attacker uses the same channel to enter the malicious string and to retrieve the data from the database. This is a straight forward technique. The application directly displays the retrieved data on the web pages.

The above URL shows an error on the web page, saying “Error in your SQL Syntax”. This is because of an extra single quote (‘) that we have entered through the URL into the query in the background. So by seeing the error we can understand that the URL is vulnerable to In-band SQLI. Figure (b) shows you the error occurred due to concatenating the special character (‘).

Figure (b)

If single quote (‘) is blocked, then we can try using “or 1=1 –” or “and 1=1” at the end of the URL :

Extracting columns from the tables:

Figure (k) displays all the columns of the tables in the database “nilakantatrust”. We can look at all the columns and then dump the interesting columns like passwords, SSN, credit card numbers, etc.

Out Band:

This kind of an attack uses two different channels for communication between attacker and the application. Modern DBMS has very powerful applications, and their features go behind simply returning the data to the users. They can be instructed to send an e-mail and they can also interact with the file system. All of these functionalities are very helpful for an attacker. The attacker establishes a direct connection to the database through one channel to insert the data or the malicious string into the database. DBMS responds through a new channel, like e-mail, or executing the commands using xp_cmdshell etc….

Inferred:

This is also known as Blind – SQL – Injection. Here the server doesn’t respond with any syntax error or other means of notification. This is very similar to normal SQL Injection, but when attacked, the server doesn’t send any data to the attacker. The attacker needs to retrieve the data by asking true or false questions through SQL commands.

The attacker needs to execute his commands by observing the response of the application. This makes exploiting a SQL Injection attack more difficult but not impossible.

Observe the white page in Figure (l), which is different from the URL: http://192.168.2.3/news-and-events.php?id=22 as we have seen the page previously. By observing this difference we can extract the DBMS type of the application.

In the above URL I am trying to add 1 to the ID ’21’ based on the condition. When we access the URL with ID=21 we get the page as shown in Figure (m) and when we access URL with ID=22 we get the home page as shown in Figure (a).

In the URL %2b indicates ‘+’ and %20 indicates ‘ ‘ (space). It is called URL encoding. When a particular symbol is filtered we can pass those symbols by encoding using different encoding techniques available.

And the condition in the query is framed using “case” statement along with “user_name” (A pre-defined function in MS-SQL to return DB user name). If the function user_name() is found then the condition returns ‘1’ which makes the ID=22, else it returns ‘0’ and the ID remains ’21’.

Figure (m)

Figure (m) shows blank page which confirms that the DBMS isn’t MS-SQL. So now, let us check for “MYSQL”.

Finding the version:

If the database version is ‘5’ then the substring function returns ‘5’ (as we are trying to extract only one character), where we are comparing the resultant value with ‘5’. Then if we are able to see the home page, we can confirm that the database is something like 5.x.x version.

If the URL doesn’t pop up the home page, then we can try changing the comparing value to 4,3 etc…

To find the exact version of the database we need to compare the second character of the version. For example:

substr(@@version,2,1)=0
substr(@@version,3,1)=1

So, by observing the responses of the application we can extract a complete version of the database.

Finding the User Name of the database:

We can find out the user name of the database by using both ‘case’ statement and ‘substring’ function.

Based on the responses of the application, keep on changing the character in the function substr().
Once we get the first letter of the user name, then move on to find out the second letter.

For example:

substr(user(),2,1)=’r’
substr(user(),3,1)=’b’ ….

In this fashion, to find out a single character in the user name, we have to send more than 200 requests with all possible ASCII characters to the server. This technique can be optimized we can extract a single character from the database with in 8 requests.

Conclusion:

SQL Injection is a technique which is used to dump a complete database of the application by including few portions of SQL statements in the entry field or the URL.

INTERESTED IN LEARNING MORE? CHECK OUT OUR ETHICAL HACKING TRAINING COURSE. FILL OUT THE FORM BELOW FOR A COURSE SYLLABUS AND PRICING INFORMATION.

Ethical Hacking Instant Pricing – Resources

References:

Kamal B is an Information Security Professional with experience in penetration testing of web applications. Currently a researcher with InfoSec Institute, his blog is located at - http://www.securitybasics.wordpress.com

* I’d like to point out there is a difference, in fact, between union based injection and error-based injection. In union based injection you are able to retrieve data WITHOUT causing a database error. Error-based injection requires a database error to be thrown and returns the desired data in the verbose error message. I do agree, though, that both of these are “in band” :)

* Most of the time the browsers will not actually send the ‘#’ character for comment notation (listed in your table above) in the value of a variable because in the HTTP protocol the ‘#’ character is an anchor (e.g. <a name =…>). The solution to this is to urlencode it before putting it into the url bar like you did with the null byte – using ‘%23’ to comment out the query in stead of ‘#’.

* My last tip here is that you can, if the database structure is small enough, use the following query to retrieve table names as well as column names for the current database:

…select group_concat(table_name,0x2e,column_name) from information_schema.columns where table_schema=database()

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam